Customer Reviews

Ethereal Packet Sniffing (Syngress)

5 star:		(16)
4 star:		(8)
3 star:		(0)
2 star:		(1)
1 star:		(1)

 

 

I've used the tool for years, and I've read the docs a bit, so I felt comfortable with the tool. Still, I wanted to learn something new with it, and I wanted to see if this book could offer what I was hoping for. The book delivers, and does a pretty good job. One of the big tests for me about any book that covers an Open Source project is "Does this book offer more than the existing documentation?" If it fails to, the book isn't worth the money, I'll stick with free docs.

A bit of the book I didn't like was the choice of screenshots: quite a number of the screenshots were full screen dumps when only one or two elements of the page really mattered. Either trimmed or annotated screenshots would have been more welcome. A lot of information gets dumped in Ethereal, helping people navigate the UI with a static, black-and-white image would have been welcome.

Now, on to the real strengths of the book. The book offers more coverage than the existing, free docs on Ethereal provide, or at least in a more manageable form. Obviously, with the source code in front of me I could dissect the tool and learn everything about it, but that's hardly efficient. Simply put, the book introduces network sniffing and troubleshooting well. How can you place a sniffer to get coverage, what can a sniffer tell you during troubleshooting (and what can it not?), and of course how to get and install Ethereal (on UN*X and Windows).

The next chapter covers exactly what you would expect it to, how to use Ethereal. Ethereal's main use is as a GUI protocol analyzer, so you have menus, panes and windows to navigate. This chapter tells you what they are and how they present and format the data you're looking at. The next chapter deals with four tools that come with Ethereal: Tethereal (very similar to tcpdump), Editcap, Mergecap, and Text2pcap (all useful for managing pcap files).

Chapter 7 is one of those handy things to read. Ethereal is typically used to read pcap files, but it can also read snoop files, Microsoft Network Monitor files, EtherPeek files, NAI's Sniffer files, and HPUX's nettl files, all of which you'll find around. It's handy that you can see how to integrate Ethereal with these other products.

Chapter 8 brings it all together with real world packet captures, many of which are also on the included CD. These files include scans, Trojan uses, and even worm traffic. All of these are useful for learning how to use Ethereal and highlight the power of the tool. You can go from novice to a pretty decent network protocol junkie if you dilligently study the resources in this chapter and on the CD.

Chapter 9 will be useful to a small subset of people, but quite useful. This chapter gives you a tour of how to develop for and extend Ethereal. Ethereal's main strength is a huge number of decode routines, such as sFlow and MPLS (in addition to the standard ones like DNS, DHCP, and the like). Using this information you can extend Ethereal for your own needs and maybe even contribute back to the project.

Either the developer's angle or the detailed discussions and examples of the filter syntax are my favorite parts of the book. They contribute significant value for everyday use, and I found them useful in a recent task at work.

The book is going to run the risk of becoming quickly out of date, given the development pace of Ethereal. However, it relies more on underlying core concepts and principles inherent in Ethereal, so it should stay useful for longer than you may think. Also, Syngress has a book update feature that some people may find useful.

"Ethereal Packet Sniffing" is the first book in Jay Beale's new Open Source Security Series with Syngress. It's a great book to lead the way. "Ethereal" is full of helpful tips and clear discussions that benefit newbies and wizards alike.

I've been using Ethereal for around five years, and this book still taught me a few new tricks. The key to the new material is Ethereal's development, from 0.2 in July 1998 to 0.10.3 this year. (The book covers 0.10.0 which is far from being outdated.) The many improvements lend themselves to the sort of explanations found in "Ethereal." For example, my favorite material involved filters. Although chs. 4 and 5 had minor overlap regarding this feature, I learned new ways to manipulate Ethereal's packet search and display capabilities.

Because the entire book focuses on a single suite of tools, it has the space to take in-depth looks at normally ignored components like stream analysis graphs. The book spends time explaining how to write filters with bitwise AND operations, and talks about 'matches' and 'contains' search functions. For programmers, the chapter on "developing Ethereal" gives clues on adding new protocol dissectors. This reminded me of a similar chapter in Syngress' book on Snort.

If you want to really know how to use Ethereal, buy this book. However, it should have been called "Ethereal Packet Sniffer," not "Ethereal Packet Sniffing." The distinction lies in the book's focus; it spends most of its time explaining functions and not analyzing packets. Books on troubleshooting by Bardwell or Haugdahl have more insights to share than ch. 8 in "Ethereal." Nevertheless, I added this book to my recommended reading list for aspiring security engineers. It's worth a close read.

The latest contribution of Jay Beale's Open Source Security Series, Ethereal Packet Sniffing is the first reference book to cover the "packet sniffer" security tool that has become widely used among network administrators. Individual chapters of Ethereal Packet Sniffing cover installing and using Ethereal: Network Protocol Analyzer in Unix, Linux, or Windows, filters, associated other programs that come packaged with Ethereal such as Tethereal and Editcap, integrating Ethereal with other sniffers, developing Ethereal and its design tools, and much more. An easy-to-use resource filled with screenshots, sample code, and step-by-step examples and instructions. An accompanying CD contains Ethereal itself, including installation, reference, and packet capture files, complete with a 1 year upgrade buyer protection plan, making Ethereal Packet Sniffing more than just a supplementary guide; it's computer software with a far more exhaustive starter guide than any tiny little owner's manual can offer.

I found this book to be an easy to read and follow. The book is fully dedicated to the functionailty of Ethereal. (it does not cover how protocols work etc..i mention that because this book will be popular in IDS circles) I was concerned about spending money on a book for a sniffer that i was already using and felt i already had a good handle on but i am glad i did purchase it. If you spend time going through large packet dump files the explantions on how to use the different display filters is worth the price of the book. The only complaint i would have would be the portion about "capture filters". I felt the explantion wasnt as through as i would have liked it to be but BP filters can be very diffcult to explain especially in only a few pages so its understandable.
I did learn some interesting nuggets on using mergecap and using ethereal without the gui.
Overall the best resource for Ethereal and worth buying.

I love protocol analysis. It's slightly arcane, just difficult enough to be interesting and incredibly useful for troubleshooting, planning, security and just plain learning more about networks. The great barrier has been cost - few shops have the inclination, much less the financing to afford this most essential of network professional tools. Enter open source software and Ethereal - a serious, cross platform protocol analyzer with enough features to get the job done. Of course, the trouble is knowledge - how do you use the darn thing? High-priced protocol analyzers have extensive support from the vendor and series of classes to learn both analysis in general as well as the specifics of that product. As an open source product, Ethereal presupposed at least some knowledge of protocol analysis to use effectively. This book, written with the Ethereal development team is worth solid gold to any network pro.

Let me start out by saying that any protocol analyzer manual will have slow spots, even for geeks that love looking up obscure flags in hex. For the sadly normals out there, please, please, please feel free to skip around chapters 1-4 where important concepts are introduced. While the writing is quite good the material in places is dry by nature. Don't waste your attention span on things like the complete list of protocols supported on page 45. Skip over those parts, flag them for reference when needed, and concentrate on the more immediately useful parts that are interleaved throughout. Just be sure to pour through chapter 5, which is the all-important filtering chapter. Then skip to Chapter 8, which introduces some real-world packet captures. Don't worry, you get to play with real captures, included on the disk. These files have already been slimmed to just the conversations in question so you don't have to figure out how to pick out 20 packets from 10,000. These are of real interest, and include vulnerability scanning, Trojans and several worms like Code Red. If these don't hit your hot button you're in the wrong field, baby!

I do have a half-nit to pick about the book, and while it's small it does need to be said. The authors clearly wished to be very complete, writing what appears to be the definitive (and only!) book on Ethereal as well as providing adequate instruction on use. Multiple purposes unless handled very carefully lead to uneven, disjointed writing and that is clearly a flaw shared by this book. It would be hard to write as a cohesive unit containing both reference material and tutorials, theory, practice and a short course on general analysis. Worse it absolutely must cover over a half-dozen operating systems and at least mention related software - reading and writing capture files for other analyzers is essential, and fortunately covered well. That the book doesn't fall completely apart is a testament to the writers and editor but another approach might have resulted in a better read. Still, this is THE definitive work on Ethereal and unlikely to be surpassed anytime soon. Like Ethereal itself this book is well worth the price and effort to master.

Ethereal is fairly commonly accepted as one of the best, if not the best packet sniffer available. If its not the best, it certainly is hard to get more bang for the buck because Ethereal is freely available as an open source application.

The opening chapter provides a very good overview of network analysis for those who are new to the whole concept. It answers questions like "What Is Network Analysis and Sniffing?" and "How Does It Work?".

One of the nice things about this book is that it is completely dedicated to this one product. So, rather than hitting the highlights of various applications and glossing over features and functionality this book provides entire chapters devoted to installing and using Ethereal's basic functionality and then goes on to cover advanced concepts in great detail.

Chapter 7 explains how to integrate Ethereal with other products and using Ethereal to analyze data from applications such as Snort, Snoop, Microsoft Network Monitor and more. Because Ethereal is open source anyone with an idea and some extra time is welcome to contribute to the project by developing Ethereal further. Chpater 9 is dedicated to illustrating what you need to know as a developer to help improve Ethereal.

The book comes with a CD which contains Ethereal among other things, but CD's are quickly outdated and you are better off downloading the current Ethereal from the site. Regardless, this book is a must have for anyone running Ethereal and is well worth the money.

(...)

I am very impressed with this book and the quality of coverage. It is well written, full of examples, full of developer info. Pretty much everything you need is here, and it eliminates the need for you to go digging on web sites to find what you need. Also, one of the authors is on the EThereal product team, so you know you're getting the right stuff. There are chapters on Tethereal, installing Ethereal on Windows and UNIX. The GUI, filters, etc. Everything I looked uop was there and it's also a good book to start at page 1 and read right through.

How anxious (paranoid?) are you about your network? Has a cracker taken over one of your machines and is using it to sniff your traffic? Or maybe to propagate worms, or emit spam, especially the phishing variety, which needs a server that cannot be directly owned by the phisher. For all these reasons, and as a prophylactic measure against them, sysadmins often use network analysis tools that come with their operating systems, like tcpdump under linux and unix and windump under Microsoft.

But these tend to be limited in their analytic capability. A group of people wanted to improve matters. They banded together and called their product Ethereal. It is offered freely as open source, and has been tested on linux, most unixes and various Microsoft OSs. Strictly speaking, it has not been officially released. Which makes this book a little curious, on first glance. The book documents version 0.10.0, and has a CD with all the necessary code. The authors felt that pragmatically this version is stable enough and offers significantly better functionality over the alternatives.

Granted, you may be trepid about installing beta code, on principle. But the authors argue persuasively that the Ethereal functionality, both in a GUI and at the command line, warrants a serious consideration by any sysadmin.

Another reason to install Ethereal has to do with the case where you are already using some proprietary network analyser. If you also run Ethereal, then the two analysers act as cross checks on each other. While Ethereal may have some bugs, so too might that other product. But how might you ever know about the latter, without using Ethereal?

In Chapter 1 the book tells you to get a copy of Ethereal at www.Ethereal.com. This is correct. But be sure you spell it right, if you go to etheral you get to a rather strange looking sight with links to a lot of places that look like you just might want to be sure your virus protection is up to date.

When you get to the Ethereal web site, you'll be offered a link to their documentation. You'll want to download it of course. Then the obvious question is why spend money for this book if the documentation is available free over the net. The answer is organization, layout, convenience and the fact that just having a different person explain things using a slightly different set of words and sentences sometimes makes things more clear. Look at it this way. If you're working on a network problem and reading both the on-line documentation and this book save you an hour of frustration you've more than paid the cost of the book.

In addition, this book contains a great deal more information of the general or background type. For instance, I found the three pages describing the FBI's Carnivore (now DCS100) network analyzer to be quite interesting. This additional information also includes more help in understanding what the data Ethereal collects really means.

If you're into the packet sniffing business, this is a book that belongs on your bookshelf.

Provides an exhaustive view of Ethereal and how to use it. The only complaint I have, and perhaps unfairly so, is that it doesn't give enough context for the use of the product--although I recognize the book doesn't claim to be a primer on packet sniffing, a bit more information on the meaning of what it is you are seeing in each packet, would be helpful. Regardless, I recommend this book highly. If I could give it 4.7 stars, I would.